Merge pull request #13771 from naveensrinivasan/naveen/feat/pin-actions

Pinned actions to SHA and included permissions for actions

Author: spowelljr

.github/workflows/build.yml

@@ -13,12 +13,15 @@ on:
 env:
   GOPROXY: https://proxy.golang.org
   GO_VERSION: '1.17.7'
+permissions:
+  contents: read
+
 jobs:
   build_minikube:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+      - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
         with:
           go-version: ${{env.GO_VERSION}}
           stable: true
@@ -37,15 +40,15 @@ jobs:
           echo workspace $GITHUB_WORKSPACE
           echo "end of debug stuff"
           echo $(which jq)
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2
         with:
           name: minikube_binaries
           path: out
   lint:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+      - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
         with:
           go-version: ${{env.GO_VERSION}}
           stable: true
@@ -63,8 +66,8 @@ jobs:
   unit_test:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+      - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
         with:
           go-version: ${{env.GO_VERSION}}
           stable: true

.github/workflows/docs.yml

@@ -7,12 +7,15 @@ on:
 env:
   GOPROXY: https://proxy.golang.org
   GO_VERSION: '1.17.7'
+permissions:
+  contents: read
+
 jobs:
   generate-docs:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+      - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
         with:
           go-version: ${{env.GO_VERSION}}
           stable: true
@@ -26,7 +29,7 @@ jobs:
           echo "::set-output name=changes::$c"
       - name: Create PR
         if: ${{ steps.gendocs.outputs.changes != '' }}
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672 # v3
         with:
           token: ${{ secrets.MINIKUBE_BOT_PAT }}
           commit-message: Update auto-generated docs and translations

.github/workflows/functional_verified.yml

@@ -23,15 +23,18 @@ env:
   GOPROXY: https://proxy.golang.org
   GO_VERSION: '1.17.7'
 
+permissions:
+  contents: read
+
 jobs:
   # Runs before all other jobs
   # builds the minikube binaries
   build_minikube:
     if: contains(github.event.pull_request.labels.*.name, 'ok-to-test')
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+      - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
         with:
           go-version: ${{env.GO_VERSION}}
           stable: true
@@ -43,11 +46,13 @@ jobs:
           sudo apt-get install -y libvirt-dev
           MINIKUBE_BUILD_IN_DOCKER=y make cross e2e-cross debs
           cp -r test/integration/testdata ./out
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2
         with:
           name: minikube_binaries
           path: out
   functional_docker_ubuntu_arm64:
+    permissions:
+      contents: none
     needs: [ build_minikube ]
     runs-on: [ self-hosted, arm64 ]
     env:
@@ -110,13 +115,13 @@ jobs:
           hostname || true
           echo "--------------------------"
       # go 1.14.6+ is needed because of this bug https://github.com/golang/go/issues/39308
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
         with:
           go-version: ${{env.GO_VERSION}}
           stable: true
 
       - name: Download Binaries
-        uses: actions/download-artifact@v1
+        uses: actions/download-artifact@fdafc3f9f2e2a522dc1d230e6a03de57a1e71c95 # v1
         with:
           name: minikube_binaries
 
@@ -162,7 +167,7 @@ jobs:
           echo "${STAT}" >> $GITHUB_ENV
           echo 'EOF' >> $GITHUB_ENV
 
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2
         with:
           name: functional_docker_ubuntu_arm64
           path: minikube_binaries/report
@@ -190,21 +195,23 @@ jobs:
   # After all integration tests finished
   # collect all the reports and upload them
   upload_all_reports:
+    permissions:
+      contents: none
     needs:
       [
         functional_docker_ubuntu_arm64,
       ]
     runs-on: ubuntu-20.04
     steps:
       - name: download all extra reports
-        uses: actions/download-artifact@v2-preview
+        uses: actions/download-artifact@9fde3de0b74bd6bc202952485c264b551a4f9405 # v2-preview
       - name: upload all extra reports
         shell: bash {0}
         continue-on-error: true
         run: |
           mkdir -p all_reports
           cp -r ./functional_docker_ubuntu_arm64 ./all_reports/
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2
         with:
           name: all_reports
           path: all_reports

.github/workflows/leaderboard.yml

@@ -8,12 +8,15 @@ on:
     types: [published]
 env:
   GO_VERSION: '1.17.7'
+permissions:
+  contents: read
+
 jobs:
   update-leaderboard:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+      - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
         with:
           go-version: ${{env.GO_VERSION}}
           stable: true
@@ -29,7 +32,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.MINIKUBE_BOT_PAT }}
       - name: Create PR
         if: ${{ steps.leaderboard.outputs.changes != '' }}
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672 # v3
         with:
           token: ${{ secrets.MINIKUBE_BOT_PAT }}
           commit-message: Update leaderboard